2318956d1fb96ad734cebf1776a2953c4e47ab4320fcfe9d2fcad8f52eae8758

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20/11/2024, 14:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2318956d1fb96ad734cebf1776a2953c4e47ab4320fcfe9d2fcad8f52eae8758.exe
Size

3.1MB
MD5

b822096ac797783e9b1d532b371b0f26
SHA1

c65520188c0f7a666a9397de84e11c997ccecc56
SHA256

2318956d1fb96ad734cebf1776a2953c4e47ab4320fcfe9d2fcad8f52eae8758
SHA512

cb1d318343357b929ec9b5abf8f0bb9439d238ec879e46f2e758195870ba1e90aca04ec49cf2d0902972c159d0153cb9e11f936d416d91393cf4746ce75c7f79
SSDEEP

98304:8AJbF/eB26JB6+hafAQ2NFSrsf9qgMsIZ/JUFmRT2H:5GpafS0U9q0IFYz

Score

8^/10

discovery spyware stealer

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 5 IoCs

pid	Process
1820	setup.exe
3248	setup.exe
2532	setup.exe
3272	setup.exe
4332	setup.exe

Loads dropped DLL 5 IoCs

pid	Process
1820	setup.exe
3248	setup.exe
2532	setup.exe
3272	setup.exe
4332	setup.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Enumerates connected drives 3 TTPs 4 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	setup.exe
File opened (read-only)	\??\F:	setup.exe
File opened (read-only)	\??\D:	setup.exe
File opened (read-only)	\??\F:	setup.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2318956d1fb96ad734cebf1776a2953c4e47ab4320fcfe9d2fcad8f52eae8758.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 625708.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4232	msedge.exe
4232	msedge.exe
4060	msedge.exe
4060	msedge.exe
4516	identity_helper.exe
4516	identity_helper.exe
5640	msedge.exe
5640	msedge.exe
5640	msedge.exe
5640	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1820	setup.exe
1820	setup.exe
1820	setup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4224 wrote to memory of 1820	4224	2318956d1fb96ad734cebf1776a2953c4e47ab4320fcfe9d2fcad8f52eae8758.exe	83
PID 4224 wrote to memory of 1820	4224	2318956d1fb96ad734cebf1776a2953c4e47ab4320fcfe9d2fcad8f52eae8758.exe	83
PID 4224 wrote to memory of 1820	4224	2318956d1fb96ad734cebf1776a2953c4e47ab4320fcfe9d2fcad8f52eae8758.exe	83
PID 1820 wrote to memory of 3248	1820	setup.exe	84
PID 1820 wrote to memory of 3248	1820	setup.exe	84
PID 1820 wrote to memory of 3248	1820	setup.exe	84
PID 1820 wrote to memory of 2532	1820	setup.exe	85
PID 1820 wrote to memory of 2532	1820	setup.exe	85
PID 1820 wrote to memory of 2532	1820	setup.exe	85
PID 1820 wrote to memory of 3272	1820	setup.exe	92
PID 1820 wrote to memory of 3272	1820	setup.exe	92
PID 1820 wrote to memory of 3272	1820	setup.exe	92
PID 1820 wrote to memory of 4060	1820	setup.exe	94
PID 1820 wrote to memory of 4060	1820	setup.exe	94
PID 3272 wrote to memory of 4332	3272	setup.exe	93
PID 3272 wrote to memory of 4332	3272	setup.exe	93
PID 3272 wrote to memory of 4332	3272	setup.exe	93
PID 4060 wrote to memory of 4588	4060	msedge.exe	97
PID 4060 wrote to memory of 4588	4060	msedge.exe	97
PID 4060 wrote to memory of 3120	4060	msedge.exe	99
PID 4060 wrote to memory of 3120	4060	msedge.exe	99
PID 4060 wrote to memory of 3120	4060	msedge.exe	99
PID 4060 wrote to memory of 3120	4060	msedge.exe	99
PID 4060 wrote to memory of 3120	4060	msedge.exe	99
PID 4060 wrote to memory of 3120	4060	msedge.exe	99
PID 4060 wrote to memory of 3120	4060	msedge.exe	99
PID 4060 wrote to memory of 3120	4060	msedge.exe	99
PID 4060 wrote to memory of 3120	4060	msedge.exe	99
PID 4060 wrote to memory of 3120	4060	msedge.exe	99
PID 4060 wrote to memory of 3120	4060	msedge.exe	99
PID 4060 wrote to memory of 3120	4060	msedge.exe	99
PID 4060 wrote to memory of 3120	4060	msedge.exe	99
PID 4060 wrote to memory of 3120	4060	msedge.exe	99
PID 4060 wrote to memory of 3120	4060	msedge.exe	99
PID 4060 wrote to memory of 3120	4060	msedge.exe	99
PID 4060 wrote to memory of 3120	4060	msedge.exe	99
PID 4060 wrote to memory of 3120	4060	msedge.exe	99
PID 4060 wrote to memory of 3120	4060	msedge.exe	99
PID 4060 wrote to memory of 3120	4060	msedge.exe	99
PID 4060 wrote to memory of 3120	4060	msedge.exe	99
PID 4060 wrote to memory of 3120	4060	msedge.exe	99
PID 4060 wrote to memory of 3120	4060	msedge.exe	99
PID 4060 wrote to memory of 3120	4060	msedge.exe	99
PID 4060 wrote to memory of 3120	4060	msedge.exe	99
PID 4060 wrote to memory of 3120	4060	msedge.exe	99
PID 4060 wrote to memory of 3120	4060	msedge.exe	99
PID 4060 wrote to memory of 3120	4060	msedge.exe	99
PID 4060 wrote to memory of 3120	4060	msedge.exe	99
PID 4060 wrote to memory of 3120	4060	msedge.exe	99
PID 4060 wrote to memory of 3120	4060	msedge.exe	99
PID 4060 wrote to memory of 3120	4060	msedge.exe	99
PID 4060 wrote to memory of 3120	4060	msedge.exe	99
PID 4060 wrote to memory of 3120	4060	msedge.exe	99
PID 4060 wrote to memory of 3120	4060	msedge.exe	99
PID 4060 wrote to memory of 3120	4060	msedge.exe	99
PID 4060 wrote to memory of 3120	4060	msedge.exe	99
PID 4060 wrote to memory of 3120	4060	msedge.exe	99
PID 4060 wrote to memory of 3120	4060	msedge.exe	99
PID 4060 wrote to memory of 3120	4060	msedge.exe	99
PID 4060 wrote to memory of 4232	4060	msedge.exe	100
PID 4060 wrote to memory of 4232	4060	msedge.exe	100
PID 4060 wrote to memory of 1752	4060	msedge.exe	101
PID 4060 wrote to memory of 1752	4060	msedge.exe	101
PID 4060 wrote to memory of 1752	4060	msedge.exe	101

C:\Users\Admin\AppData\Local\Temp\2318956d1fb96ad734cebf1776a2953c4e47ab4320fcfe9d2fcad8f52eae8758.exe
"C:\Users\Admin\AppData\Local\Temp\2318956d1fb96ad734cebf1776a2953c4e47ab4320fcfe9d2fcad8f52eae8758.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4224
- C:\Users\Admin\AppData\Local\Temp\7zS0809E537\setup.exe
  C:\Users\Admin\AppData\Local\Temp\7zS0809E537\setup.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1820
- - C:\Users\Admin\AppData\Local\Temp\7zS0809E537\setup.exe
    C:\Users\Admin\AppData\Local\Temp\7zS0809E537\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\crash_count.txt" --url=https://crashstats-collector-2.opera.com/ --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktopGX --annotation=ver=113.0.5230.75 --initial-client-data=0x32c,0x330,0x334,0x308,0x338,0x74061864,0x74061870,0x7406187c
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:3248
- - C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\setup.exe
    "C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\setup.exe" --version
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2532
- - C:\Users\Admin\AppData\Local\Temp\7zS0809E537\setup.exe
    "C:\Users\Admin\AppData\Local\Temp\7zS0809E537\setup.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=1 --general-interests=1 --general-location=1 --personalized-content=1 --personalized-ads=1 --vought_browser=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera GX" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=0 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --server-tracking-data=server_tracking_data --initial-pid=1820 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_20241120144846" --session-guid=c057bf01-b48b-4776-859b-2d11fbfafda6 --server-tracking-blob=MWY0ZjA2N2JjNjVjNTRlMGZlYmU0YjExMjhlYTA1NDIzMjczMWUzNzQ3MmQ2Mjc3NTkzZjM2OTQ5MTAxYmI4OTp7InByb2R1Y3QiOnsibmFtZSI6Ik9wZXJhIEdYIn0sInN5c3RlbSI6eyJwbGF0Zm9ybSI6eyJhcmNoIjoieDg2XzY0Iiwib3BzeXMiOiJXaW5kb3dzIiwib3BzeXMtdmVyc2lvbiI6IjEwIiwicGFja2FnZSI6IkVYRSJ9fX0= --desktopshortcut=1 --wait-for-package --initial-proc-handle=7009000000000000
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Enumerates connected drives
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3272
  - - C:\Users\Admin\AppData\Local\Temp\7zS0809E537\setup.exe
      C:\Users\Admin\AppData\Local\Temp\7zS0809E537\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\crash_count.txt" --url=https://crashstats-collector-2.opera.com/ --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktopGX --annotation=ver=113.0.5230.75 --initial-client-data=0x338,0x33c,0x340,0x308,0x344,0x71911864,0x71911870,0x7191187c
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:4332
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://download.opera.com/download/get/?partner=www&opsys=Windows&utm_source=netinstaller&arch=x64
    3⤵
    - Enumerates system info in registry
    - NTFS ADS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:4060
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdd30146f8,0x7ffdd3014708,0x7ffdd3014718
      4⤵
      PID:4588
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1456,2714327414259836458,16951369405697748509,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2180 /prefetch:2
      4⤵
      PID:3120
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1456,2714327414259836458,16951369405697748509,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2232 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4232
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1456,2714327414259836458,16951369405697748509,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2884 /prefetch:8
      4⤵
      PID:1752
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1456,2714327414259836458,16951369405697748509,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3612 /prefetch:1
      4⤵
      PID:1396
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1456,2714327414259836458,16951369405697748509,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3620 /prefetch:1
      4⤵
      PID:4616
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1456,2714327414259836458,16951369405697748509,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5068 /prefetch:1
      4⤵
      PID:2440
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1456,2714327414259836458,16951369405697748509,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5196 /prefetch:1
      4⤵
      PID:4036
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1456,2714327414259836458,16951369405697748509,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4472 /prefetch:8
      4⤵
      PID:1504
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1456,2714327414259836458,16951369405697748509,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5512 /prefetch:1
      4⤵
      PID:4292
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1456,2714327414259836458,16951369405697748509,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5824 /prefetch:8
      4⤵
      PID:3564
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1456,2714327414259836458,16951369405697748509,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6096 /prefetch:8
      4⤵
      PID:3844
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1456,2714327414259836458,16951369405697748509,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6096 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4516
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1456,2714327414259836458,16951369405697748509,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6380 /prefetch:1
      4⤵
      PID:4944
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1456,2714327414259836458,16951369405697748509,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6396 /prefetch:1
      4⤵
      PID:3064
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1456,2714327414259836458,16951369405697748509,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5648 /prefetch:1
      4⤵
      PID:5404
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1456,2714327414259836458,16951369405697748509,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5616 /prefetch:1
      4⤵
      PID:5412
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1456,2714327414259836458,16951369405697748509,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3368 /prefetch:2
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5640

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4352

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
471B

MD5
a5b4a4a3dcbabb40be14d7ba96c4f1ab

SHA1
1276699a2ca4274dbd8dc76cc5a1f082cece2ed8

SHA256
067b6ce40e30e9ca418b69ddc9b37b3cef26a12ff10ef0ea30fb94b91034c0fd

SHA512
facd8230d6d590cd11910ee98597d440da583ef76461e2c2e1023617655a939ea49fbcee7e1e6eb87e41e91bdec62bc55de3b0cd599ae3772e63631cc1d641bf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27

Filesize
1KB

MD5
6b8fa163d69d848ed4d087edc7125843

SHA1
232d0bdfbc154268d33c7b86239aa752c52eeb9f

SHA256
22f8196f48d5584738187ec00dfa916ee27cec5ac1085fb60885bb7ed6f0ce1f

SHA512
2770a3812c00432dae1862b75243dacf05a6a3e30207816ed7404de4098958a6d97a3505010c5d371d870f5f7c19feccf73955d92131a9c39a6c56e975bb506a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
727B

MD5
2234a2da0c7ba427c516a7ba532be7f4

SHA1
71bbac1f00303abebe6b8ee9f8cb1ec3f72e1e83

SHA256
a7c433170beb0d6d06d2b3e12790688c320e911d1217ec0eb90c6d46a28a5abb

SHA512
fdf3757943c042323652f78bb3135032c7268f61d6ec11317316768cde45527846de1e2c4bdeac2add5ccc8fa1548a8a53c514573eb07637669380e4d493790d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_49536AB5156BDD74EFF881D01C36A419

Filesize
471B

MD5
e2705e3c0b0e009059f5ad82eeb98524

SHA1
23733d25f7f0b5c98cf4ef33871e651b94d58dbf

SHA256
d1041d807bfc245a95dbc19bb7bfd5b68f2cc14830da05840123a96518fd66be

SHA512
db932648a6d64b9b8fc0d689a1ec0ff76919d1afe3c24bc1dbd7cd63f7a7392df10d0a2165be31c38883dd74840605e5e8a8052f75a37794027770e1aed18db3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
400B

MD5
7b5b083b6725206331aa0ce5f328f1ad

SHA1
672b9dc1e2328afc1f25fc8803e0ec28eadc0c35

SHA256
c5bc09f9dbe195bed56c5cef39e3e32cc1e31266cc62041aa091230a2edf5e6d

SHA512
8c933abec42a7d95fba3baecda73c08dca5368d3bd22d58fd856291240267f765c96fd2d2ed11863acb3a0c4ef196a6e9352628f83134d8a1e4003496878aa8a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27

Filesize
408B

MD5
6b13a8f8b7b966ab11846f9ed78cc6b3

SHA1
d0988f6a590e990308c5ccfb746c8ab99ba1a590

SHA256
97435c8b429b33be513f5e66e62a05b96a2168005d7e4d7c63746098cfaea290

SHA512
5050ae370ef360afa4731e8b20a0d787e29ad5700cd644dfdf7345281f0bb7340aa54f930da0a74f4899a032ea03d62e2a66185682b259a145d08953e404c34a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
412B

MD5
b4cc239f2ea459d9e2856c2d2bf81722

SHA1
7178cd95e7fc8f25519fca827107884c7112e6cd

SHA256
15fd99c1788c19aa4fd8a795931b2dc186a8fdd8d78df60128e2fc642c5c108a

SHA512
fb71bcae01c8b8b30ab735406b6f38fbd872117e018d773c7bdb5082eac4b015a1d3f89171d31c24f42909738383e06617511279e27efb1f72b9047d1764ea9d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_49536AB5156BDD74EFF881D01C36A419

Filesize
412B

MD5
e035ae03d6af2a7d58cc489f44dbef03

SHA1
c9f8c53d0f9dad33f1bdaccdb31da1a9b6d6e54e

SHA256
4952ce2cc13b604cb68a71ffdc534554e21bbc667152ba1091729f3785ea5f58

SHA512
1cfd4b30b0346b95e0fb67acb7f5816afa04b333212953ac193bfb73eca6dc013e9a52315df9090d374c5e283257c2eedf11cb8e022853e909b033c3b4f84638

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
34d2c4f40f47672ecdf6f66fea242f4a

SHA1
4bcad62542aeb44cae38a907d8b5a8604115ada2

SHA256
b214e3affb02a2ea4469a8bbdfa8a179e7cc57cababd83b4bafae9cdbe23fa33

SHA512
50fba54ec95d694211a005d0e3e6cf5b5677efa16989cbf854207a1a67e3a139f32b757c6f2ce824a48f621440b93fde60ad1dc790fcec4b76edddd0d92a75d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8749e21d9d0a17dac32d5aa2027f7a75

SHA1
a5d555f8b035c7938a4a864e89218c0402ab7cde

SHA256
915193bd331ee9ea7c750398a37fbb552b8c5a1d90edec6293688296bda6f304

SHA512
c645a41180ed01e854f197868283f9b40620dbbc813a1c122f6870db574ebc1c4917da4d320bdfd1cc67f23303a2c6d74e4f36dd9d3ffcfa92d3dfca3b7ca31a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
240B

MD5
98ae1aa30e1b1e68bdfcc56c527dca87

SHA1
9d43b41ab0d580b54bed3c6149d586e0bb37f2de

SHA256
d78d7318cfbff0fa08e67c842aec6880fb94a0e974432f14f90f4c045b4517da

SHA512
1ba5fe1b5c768513185cad7935744d38f777159ec8ebbf5363b2109c300c31486986b6272cf847436a966e99ca3c7a222c3e9bdf2d59c4818e7bbc7c4d70f166

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
6e33f0d15aed5368b62a551cc2c6d058

SHA1
c45b868ee9ed17f01cf783f1b6537a3c3cd7d41d

SHA256
c015ec278c46dd7692258c6d9430f314dd02cfebed9dcbc93123518b5dbfd626

SHA512
d2ecb03c91251ba786640a9793cbd8f815cf8aadba3f7abe45a58124e7e7a4f42e6f94daec25561b2b112b749ca7aa12315302fec1ef18693711c976ff71dfc1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
42efebbc9d2b172eaf01d44466baa8b9

SHA1
dd57695835859dc8dc7cb547c1e1329e46fe716e

SHA256
628c20f95ba9a0adb8434c2afc9fd3f0f9392516e4f5f785480ac9923c1d250e

SHA512
f7606327bd8ec8e26a89bb8cdea1189bc946741ef621cdb47a1f8311ee3e7f099cd9a6fb616a2e0f5e60cc124c127e771179ceb29581df908b525b96279bbf6c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
d0cacda99cbb773381a3f33739a54640

SHA1
ae51c1f917530d043ef7c4e5bf2869f168a2fd3a

SHA256
ff4d78921f56fa9d3117895236b0bb30d73b0057263a13eb7c214dfdaa7ed682

SHA512
06b8ebc73887b6509670ebdc895fdf6b89abe05ed33d4e4acf00d534391231b33a833bb1789e70c5d503e3a58cba7460c403754c243fb380d1a25b27ee4a9bea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
b7a5086815bcf80f22dfcd4deb073f02

SHA1
386c48f0d0ba90b32a5d01a91f6918e8a59d3c16

SHA256
2181e65bbd782dc1903489ac97bf608b5048457f2a5ca33e5c1f0eb2569b8fdd

SHA512
8f13690218c303312b22173363925dd817da1ad7c3a3c46b5494ac2373037710e934fb7c4545a7f69ca43fa857e4769b8143e97ba7081ca90e755b3105c23f99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
407c9648dd0b298728a06cff869350af

SHA1
5d41e8e8a777fcfe50d8e74b2ea413d810bb35e6

SHA256
3c8bc2e8a30d58ea17d764f423f30937f643f25faacdd4c090ca87621892ffc9

SHA512
7fc6ffc90d2f393cb630e728cb410f7d79858032c15b40fcff0701b461b186390094ec9708876cf40171c57369c476a2307ee87c579b9ad631e9aaf695bba219

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe582d93.TMP

Filesize
48B

MD5
178fb9e132c0ff491875cc98e551976a

SHA1
523c4e1bd3a05d28104d65cc592d823aec046f38

SHA256
27dcceb8afcd641a24f7f34abab592949b255aa5141b80460212b64af189c850

SHA512
2468e0f8107c509b9374f7bd8713469ccce4442c5c7ea267e7d1c2b2c17132600a941f7c6ebdefc5f6fe01f12d8baa766e2715e43ef93e022d1c2f8a285e53ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
8a8565f656a24ec61cd0905d824a3e06

SHA1
7b7eeae1a534953c903e15fd757c2b18c38daf65

SHA256
815d06cdff1e97728e391454573d0c8290aad3c588055af10e9d18fa1aac417a

SHA512
0694d9766f19de8a6b9522f7bd330c4c8f901dbf0d202c8c5b369915c16345ecf672cf21c178903eb236393c1e0cc3008223f03ea1c41fd3a813b92609301474

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
ca63ab7884c1be23d29cb9439e2b78ed

SHA1
31a87178b70caed4def604f817820c2088763604

SHA256
e771371d7d7d803d48a33b9a813516791ffbd7dae31156c1823792228b86d533

SHA512
ed805d366cb9121f25ee6d1c22325cb85a119fb1404a2d0310026b69c1760dc45e0c57ef033802a5c0017d6693e3d218b5cdc24b92be21c3e6055a9c7213320d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0809E537\setup.exe

Filesize
6.3MB

MD5
eb798e91d503b97614756193e195a7b1

SHA1
06367f70a0b4c6de9e208c419beb84fa10c0eeef

SHA256
406b5edbd94bc38ce345d3c0f34b6b5fcd0405bd290a2ad0fd55c08b0695eed8

SHA512
5738431f355f599e88ec8b603f692a23a779ef41183ee1ebad3f7c81a9296a3df626d852cca1256791cc665d912f8f73c4ac00a15e4f96259c253290a40ba020

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2411201448450251820.dll

Filesize
5.8MB

MD5
d9566efedb5ea286e12826594a40e623

SHA1
eba69b688be145e73103ec9587db22e072ee9fb5

SHA256
d09af4042577f9c1c72863df791b0114d25086cbf9fa3012b765157ddcbbdf33

SHA512
daa4adc5f254088d3b8d22d27b5af3d3663630017903f64377579cba46c0b8e4ffa427b7e51ccdc214e70ed835e2ff9ec2baf4a28a194a1c22dd2ee2abf653bb

Download Submit
C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports\settings.dat

Filesize
40B

MD5
a61581f818380fddfd5902f3a709cf3f

SHA1
97b3d20638ea14595c4c28edd6329e0395d6deac

SHA256
0fcf051f47bb1d05d278258f950137d0bfa6345a105ae315f157a8412143c118

SHA512
50d42b207635211aaf155b706962ab3379b1c2d88e891a9c12df1d51673b95c76b22790fbdd9b8669afcbbf9af7b82f9f0169673975fae976b5fd4ecc10974c7

Download Submit